R2 handshake failure (rclone, awscli, python script)

Developers Storage
1

For Workers & Pages, what is the name of the domain?

d29d1e5df4022a3338bb192d33fe0f2c.r2.cloudflarestorage.com

What is the error number?

TLS handshake failure

What is the error message?

Error: remote error: tls: handshake failure

What is the issue or error you’re encountering

Unable to connect to Cloudflare R2 storage using rclone, AWS CLI, or Python tools due to persistent TLS handshake failures, despite the endpoint being accessible via curl.

What steps have you taken to resolve the issue?

  1. Tested various rclone configurations with different TLS settings
  2. Tried insecure_skip_verify, tls_version = TLS1.2, and no_check_certificate options
  3. Attempted connection with AWS CLI and Python boto3 tools
  4. Verified basic connectivity with curl which succeeds but other tools fail
  5. Tested multiple TLS protocol versions in Python scripts
  6. Ran SSL Labs test which also failed to connect to the endpoint

What are the steps to reproduce the issue?

  1. Configure rclone with Cloudflare R2 credentials
  2. Run rclone lsd r2: -vv --dump bodies
  3. Observe TLS handshake failure regardless of configuration
  4. Verify with AWS CLI using same endpoint and credentials
  5. Confirm curl can establish TLS connection to the same endpoint
2

I’m having a persistent issue connecting to my R2 storage bucket that’s driving me crazy. I’m trying to use rclone with the command:

rclone lsd r2: -vv --dump bodies

But I keep getting TLS handshake failures. Here’s what I’ve tried and what I’ve found:

The Issue

  • Every attempt to connect to my R2 endpoint (d29d1e5df4022a3338bb192d33fe0f2c.r2.cloudflarestorage.com) fails with the same error: Error: remote error: tls: handshake failure
  • This happens with rclone, AWS CLI, and even with Python boto3 scripts
  • I’ve tried multiple TLS versions, different configurations, and disabling SSL verification

What Works

  • Basic TCP connections to the endpoint succeed
  • curl can connect to the endpoint and gets a 400 Bad Request with “Authorization” message (expected when not authenticated)
curl -v https://d29d1e5df4022a3338bb192d33fe0f2c.r2.cloudflarestorage.com/

This returns:

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
...
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
...
< HTTP/1.1 400 Bad Request
< Content-Type: application/xml
...
<?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><Message>Authorization</Message></Error>

My Config

In my rclone.conf, I’ve tried:

[r2]
type = s3
provider = Cloudflare
access_key_id = <REDACTED>
secret_access_key = <REDACTED>
endpoint = https://d29d1e5df4022a3338bb192d33fe0f2c.r2.cloudflarestorage.com

I’ve also tried adding:

  • insecure_skip_verify = true
  • tls_version = TLS1.2
  • no_check_certificate = true
  • various other combinations

But nothing works - I still get the TLS handshake failure.

System Info

  • macOS (arm64)
  • OpenSSL 3.4.1
  • rclone v1.69.1

When I check on SSL Labs, I see “Failed to communicate with the secure server” errors for all connection attempts to the endpoint.

Any ideas what might be causing this or how to fix it? The weird part is that curl works fine with TLS but nothing else does. Are there known TLS issues with certain R2 endpoints?

3

My rclone conf file does not include the scheme. Try just d29d1e5df4022a3338bb192d33fe0f2c.r2.cloudflarestorage.com

4

I did try that, same result. :frowning: